cosign-discuss at umich.edu
general discussion of cosign development and deployment
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Kerberos Tickets
Yes Johanna's reply was good (thanks Johanna, I didn't get back to you on
this; I haven't had the time to test the bug fix, and I may not until it is
decided to with CoSign), and it is pleasing to see the turn around for bug
fixes is excellent!
The Kerberos issue is not such a problem, I always assumed it was the TGT,
but the submission you made to the WebISO Web Application Agent
Questionnaire seemed to suggest otherwise (although it is possible I misread
I think it would be nice to, as you suggested, implement a finely grained
approach as opposed to just a yes/no type of authorization. Like you say,
the approach would be to have a list of services the application can request
ST for, and possibly a special tag as 'tgt' to allow the application to
actually get the TGT for the user as well.
BTW: If we do go into production with CoSign, we will be very willing to
implement changes which we think are good, and submit them back into the
CoSign main release if they are of benefit to anyone else, we will not be
expecting you guys to implement changes we need :).
From: kevin mcgowan [mailto:clunis@xxxxxxxxx]
Sent: Thursday, 1 April 2004 6:36 a.m.
To: Brett Lomas
Subject: Re: Kerberos Tickets
On Mar 30, 2004, at 10:20 PM, Brett Lomas wrote:
> Thanks for the reply on the hardware and all, very helpful.
glad to help. I trust Johanna's reply was helpful too?
> CoSign and Kerberos question. When an application requests a Kerberos
> (the RETRIEVE command to cosignd) it appears to be allowed to specify
> ticket name (eg imap/imap.auckland.ac.nz@xxxxxxxxxxxxxx). This looks
> to be a
> service account (in the examples I have seen), does this mean that a
> ticket is passed back to the application, and not a/the TGT the cosign
> obtained to authenticate the user?
That's the eventual plan, Brett, but currently it is the TGT that is
returned. You'll note the 0/1 in cosign.conf to determine whether a
service can request Kerberos credentials? In theory this could
eventually be a list of services for which a service is allowed to
request service tickets (e.g. mail can ask for imap, directory can ask
for ldap, etc.). We were sure, during early development, that not
distributing the TGT would be a major feature requirement. So far it
just hasn't been (for us, anyway).
Is this a make or break feature for your site?